1 |
idella4 14/03/26 07:45:51 |
2 |
|
3 |
Added: sec-patch-CVE-2014-1624.patch |
4 |
Log: |
5 |
add sec patch wrt Bug #498934, rm old |
6 |
|
7 |
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: sec-patch-CVE-2014-1624.patch |
16 |
=================================================================== |
17 |
Improve security of get_runtime_dir(strict=False) |
18 |
https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4 |
19 |
diff --git a/xdg/BaseDirectory.py b/xdg/BaseDirectory.py |
20 |
index cececa3..a7c31b1 100644 |
21 |
--- a/xdg/BaseDirectory.py |
22 |
+++ b/xdg/BaseDirectory.py |
23 |
@@ -25,7 +25,7 @@ |
24 |
Note: see the rox.Options module for a higher-level API for managing options. |
25 |
""" |
26 |
|
27 |
-import os |
28 |
+import os, stat |
29 |
|
30 |
_home = os.path.expanduser('~') |
31 |
xdg_data_home = os.environ.get('XDG_DATA_HOME') or \ |
32 |
@@ -131,15 +131,30 @@ def get_runtime_dir(strict=True): |
33 |
|
34 |
import getpass |
35 |
fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser() |
36 |
+ create = False |
37 |
+ |
38 |
try: |
39 |
- os.mkdir(fallback, 0o700) |
40 |
+ # This must be a real directory, not a symlink, so attackers can't |
41 |
+ # point it elsewhere. So we use lstat to check it. |
42 |
+ st = os.lstat(fallback) |
43 |
except OSError as e: |
44 |
import errno |
45 |
- if e.errno == errno.EEXIST: |
46 |
- # Already exists - set 700 permissions again. |
47 |
- import stat |
48 |
- os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR) |
49 |
- else: # pragma: no cover |
50 |
+ if e.errno == errno.ENOENT: |
51 |
+ create = True |
52 |
+ else: |
53 |
raise |
54 |
- |
55 |
+ else: |
56 |
+ # The fallback must be a directory |
57 |
+ if not stat.S_ISDIR(st.st_mode): |
58 |
+ os.unlink(fallback) |
59 |
+ create = True |
60 |
+ # Must be owned by the user and not accessible by anyone else |
61 |
+ elif (st.st_uid != os.getuid()) \ |
62 |
+ or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)): |
63 |
+ os.rmdir(fallback) |
64 |
+ create = True |
65 |
+ |
66 |
+ if create: |
67 |
+ os.mkdir(fallback, 0o700) |
68 |
+ |
69 |
return fallback |